Cryptocurrencies without Proof of Work

Iddo Bentov1, Ariel Gabizon2, and Alex Mizrahi3

1 Department of Computer Science, Technion, [email protected] 2 Department of Computer Science, Technion, [email protected] 3 chromaway.com, [email protected]

Abstract. We study decentralized cryptocurrency protocols in which the participants do not deplete physical scarce resources. Such protocols commonly rely on Proof of Stake, i.e., on mechanisms that extend voting power to the stakeholders of the system. We offer analysis of existing protocols that have a substantial amount of popularity. We then present our novel pure Proof of Stake protocols, and argue that they help in mitigating problems that the existing protocols exhibit.

1 Introduction†

The decentralized nature of Bitcoin [7, 12] means that anyone can become a “miner” at any point in time, and thus participate in the security maintenance of the Bitcoin system and be compensated for this work. The miners continuously perform Proof of Work (PoW) computations, meaning that they attempt to solve difficult computational tasks. The purpose of the PoW element in the Bitcoin system is to reach consensus regarding the ledger history, thereby synchronizing the transactions and making the users secure against double-spending attacks. The miners who carry out PoW computations can be viewed as entities who vote on blocks of transactions that the users recently broadcasted to the network, so that the decision-making power of each miner is in proportion to the amount of computational power that she has. Thus, an individual miner who has a fraction p of the total mining power can create each new block with probability p, though other factors such as “selfish mining” [1,5,6] can influence p. ≈ Under the assumption that the majority of the PoW mining power follows the Bitcoin protocol, the users can become increasingly confident that the payment transactions that they receive will not be reversed [7, 12, 15]. By means of the PoW mechanism, each miner depletes physical scarce re- sources in the form of electricity and mining equipment erosion, and thereby earns cryptographic scarce resources in the form of coins that can be spent within the Bitcoin system. Hence the following question is of interest: can a decentralized cryptocurrency system be as secure as Bitcoin even if the entities who maintain its security do not deplete physical scarce resources?

† The full version of this work includes extra material such as a section on the initial issuance of the money supply, and is available at http://arxiv.org/abs/1406.5694. Cryptocurrency protocols that attempt to avoid wasting physical scarce re- sources commonly rely on Proof of Stake, i.e., on mechanisms that give the decision-making power regarding the continuation of the ledger history to enti- ties who possess coins within the system. The rationale behind Proof of Stake is that entities who hold stake in the system are well-suited to maintain its security, since their stake will diminish in value when the security of the system erodes. Therefore, in an analogous manner to Bitcoin, an individual stakeholder who possesses p fraction of the total amount of coins in circulation becomes eligible to create the next extension of the ledger with probability p. ≈ We use the terminology “pure” Proof of Stake to refer to a cryptocurrency system that relies on Proof of Stake and does not make any use of PoW. To the best of our knowledge, the idea of Proof of Stake in the context of cryptocur- rencies was first introduced in [17], though that discussion focused on non-pure Proof of Stake variants (cf. [3]). PoW based cryptocurrencies become insecure when a significant enough por- tion of the total mining power colludes in an attack. Likewise, the security of pure Proof of Stake cryptocurrencies deteriorates when enough stakeholders wish to collude in an attack. If the majority of the stake wishes to participate in at- tacks on a pure Proof of Stake system, it can be argued that there is no longer enough interest that this system should continue to exist, hence assuming that the majority of the stake will not participate in an (overt) attack is sensible. The same does not necessarily hold in a PoW based system, i.e., the majority of the mining power might be under the control of an external adversary during some time period, while the majority of the participants in this system still wish for it to remain sound. See [3] and Section3 for additional considerations.

2 Pure Proof of Stake

There are two apparent hurdles with decentralized pure Proof of Stake systems: fair initial distribution of the money supply to the interested parties, and network fragility if the nodes are rational rather than altruistic. PoW offers an elegant solution to the first hurdle, by converting physical scarce resources into coins in the system. We provide here an analysis of the second hurdle in an existing pure Proof of Stake system, and also describe our novel CoA and Dense-CoA pure Proof of Stake systems that seek to mitigate this problem. Let us note this second hurdle is less severe in PoW systems, though bribe attacks on Bitcoin have indeed been considered, for example in [16].

2.1 The PPCoin system

PPCoin is a pure Proof of Stake system, in the sense that PoW is used only5 for distributing the initial money supply. Stakeholders in the PPCoin network can

5 See http://peercoin.net/assets/paper/peercoin-paper.pdf. create the next block according to the following type of condition:

hash(prev blocks data, time in seconds, txoutA) ≤ d0 · coins(txoutA) · timeweight(txoutA) (*)

In the inequality (*), time in seconds should correspond to the current time (with some leniency bounds), thus restricting hash attempts to 1 per second and preventing PoW use at creating the next block, because nodes will regard a new block as invalid unless the difference between its time and their local time is within the bounds. The notation coins(txoutA) refers to the amount of coins of some unspent transaction output txoutA, hence if stakeholder A has the private key skA that controls txoutA then she can create a valid block by signing the block with skA and attaching the signature as evidence that condition (*) holds. This means that a stakeholder who controls an output of e.g. 50 coins is 10 times more likely to create a block than a stakeholder who controls an output of 5 coins. See regarding timeweight(txoutA), and Section 2.1.3 regarding † prev blocks data. The constant d0 is readjusted according to a protocol rule that dictates that blocks should be created in intervals of 10 minutes on average, i.e., if fewer stakeholders are online during a certain time period then d0 gets increased. The winning blockchain is the one with the largest cumulative stake, i.e., the blockchain with the most blocks such that stake blocks are weighted according to their d0 difficulties, and PoW blocks have a negligible weight. Although the PPCoin cryptocurrency had a market cap of over $100 million in 2014, the PPCoin protocol has the following problems:

2.1.1 Rational forks

1 On every second we have that Pr[ some block is solved ] 600 , therefore mul- tiple blocks will be solved simultaneously{ every 360000} ≈ seconds 4 days. Rational stakeholders can increase their expected≈ reward by maintaining≈ and trying to solve blocks on the multiple forked chains that were transmitted to them, which would lead to a divergent network. An individual stakeholder can either tie her hands behind her back by ignoring all the forked chains except for one, or opt to gain more rewards by keeping all the forked chains, which may render her entire stake worthless in case the network becomes divergent. The strategy of tying your hands behind your back is not a Nash equilibrium: if all the stakeholders follow this strategy then it is better for an individual stakeholder to deviate and maintain all the forked chains, as her influence on the overall convergence of the network is minor. Network propagation lag im- plies an even greater frequency of forks, as a stakeholder will get competing blocks sent to her even if those blocks were honestly solved a few seconds apart from one another. Worse still, when a rational stakeholder who currently tries to extend the block Bi receives Bi+1 from her peers, she may opt to increase her expected reward by attempting to extend both the chain ...,Bi,Bi+1 and the chain ...,Bi simultaneously. Rational stakeholders may thus prefer to reject blocks whose timestamp is later than another block that they currently try to extend, though an attempt to extend both ...,Bi,Bi+1 and ...,Bi can still be possible if the rule that the stakeholders deploy does not retrace to an earlier chain that is received late due to propagation lag.

2.1.2 Bribe attacks on PPCoin An attacker can double-spend quite easily. After the merchant waits for e.g. 6 block confirmations and sends the goods, the attacker can publicly announce her intent to create a fork that reverses the last 6 blocks, and offer bribes to stakeholders who would sign blocks of her competing branch that starts 6 blocks earlier. The attacker may offer a larger bribe to stakeholders who sign only her branch, and may commit to giving bribes even after her competing branch wins, to encourage more stakeholders to participate in the attack. Notice that the stakeholders who collude with the attacker will not lose anything in case the attack fails. As long as the value of the goods is greater than the total value of the bribes, this attack will be profitable. Let us note that a bribe attack in a pure PoW network has to surmount far greater obstacles: miners who join the attack would deplete their resources while working on a fork with a 6 blocks deficit, and it is a nontrivial task to assess the success probability by measuring how many other miners participate in the attack. See also [3, Section 5.3].

2.1.3 Opportunistic attacks in relation to the need to disallow PoW A stakeholder who holds a significant fraction of all the coins is able to generate a significant fraction of the blocks, as the probability to generate a block is proportional to the amount of coins that a stakeholder holds. Therefore, from time to time a stakeholder will be able to generate chains of consecutive blocks. We can analyze this event by using a simplified model where stakeholders who 1 1 own M of all coins can generate a block with probability M , and the probability 1 k to generate k sequential blocks is ( M ) . This approximation is accurate under the assumption that the stakeholder holds a number of unspent transaction outputs significantly larger than k, so that timeweight will have no impact. We can estimate the average number of blocks between groups of k sequential blocks generated by one stakeholder as a mean of exponential distribution, which would be equal to 1/(1/M)k = M k. If merchants wait for k confirmations before sending their goods, the stake- holder has a chance to attack the merchant when she is able to generate k sequential blocks, thus the mean number of blocks between such attacks is M k. 1 For example, a stakeholder who holds 4 of all coins participating in stake mining will be able to carry out a 6-block reorganization each 46 = 4096 blocks, i.e., approximately once per month if one block is generated every 10 minutes. An attacker who is able to create k sequential blocks would prefer to know about it as early as possible, so that she has enough time to send the payment transaction (that she intends to reverse) to the merchant. If the possible stake- holders’ identities who may create the next blocks are derived from a low en- tropy process that only takes into account the identities who created the previous blocks, then the attacker can “look into the future” by carrying out brute-force computations to assess the probabilities that she will be able to create the k consecutive blocks at certain points in time. In order to gain a measure of un- predictability, PPCoin re-calculates once every 6 hours a “stake modifier” value that depends on the transactions that the previous blocks included, i.e., this stake modifier is part of prev blocks data in condition (*). Therefore, a stake- holder who obtains an opportunity to generate k blocks in a row can know about this approximately 6 hours in advance, so she has plenty of time to mount an attack. If the protocol required the stake modifier to be re-calculated at a shorter time interval, this would open the door for a stakeholder to do PoW attempts at deriving herself as being able to create future blocks more frequently.

2.2 The CoA pure Proof of Stake system

The Chains of Activity (CoA) system that we hereby present is a pure Proof of Stake protocol that aims to overcome the problem of rational forks (cf. Section 2.1.1) by dictating that only a single stakeholder identity may create the next block, and solidifying the random choices for these identities in the earlier ledger history via an interleaving mechanism. The CoA protocol is based in part on the core element of PoA [3], i.e., on a lottery among the online stakeholders via the follow-the-satoshi procedure. This procedure takes as input an index of a satoshi (smallest unit of the cryptocur- rency) between zero and the total number of satoshis in circulation, fetches the block of ledger data in which this satoshi was minted, and tracks the transactions that moved this satoshi to subsequent addresses until finding the stakeholder who can currently spend this satoshi (cf. [3, Section 3 and Appendix A]). Note that if for example Alice has 6 coins and Bob has 2 coins then Alice is 3 times more likely to be picked by follow-the-satoshi, regardless of how their coins are fragmented. This implies that a stakeholder who holds her coins in many Sybil addresses do not obtain any advantage with regard to follow-the-satoshi. The CoA protocol is parameterized by an amount of minted satoshis 2κ, a subgroup length w 1, a group length ` = κ w, a function comb : 0, 1 ` 0, 1 κ, a minimal block≥ interval time G , a minimal· stake amount C ,{ an award} → { } 0 0 amount C1 where 0 C1 < C0, and a double-spending safety bound T0. The blocks creation≤ process of CoA assembles a blockchain that is comprised of groups of ` consecutive blocks:

` ` ` z }| { z }| { z }| { 22 2, 22 2, 22 2, ··· ··· ··· ··· The rules of the CoA protocol are specified as follows:

The CoA Protocol

1. Each block is generated by a single stakeholder, whose identity is fixed and publicly known (as will be explained in the next steps). This stakeholder collects transactions that are broadcasted over the CoA network as she sees fit, and then creates a block Bi that consists of these transactions, the hash of the previous block, the current timestamp, the index i, and a signature of these pieces of data as computed with her private key. 2. Every newly created block Bi is associated with a supposedly uniformly distributed bit bi that is derived in a deterministic fashion, for example by taking the first bit of hash(Bi). 3. The time gap between Bi and Bj must be at least j i 1 G . This means | − − |· 0 that if for example the next four blocks Bi,Bi+1,Bi+2,Bi+3 were supposed to be generated by the four stakeholders Ai,Ai+1,Ai+2,Ai+3 but Ai+1 and Ai+2 were inactive, then the difference between the timestamp of Bi+3 and Bi must be at least 2G0. Nodes in the network will consider a newly created block to be invalid if its timestamp is too far into the future relative to their local time.

4. After a group of ` valid blocks Bi1 ,Bi2 ,...,Bi` is created, the network nodes Bi` will form a κ-bit seed S = comb(bi1 , . . . , bi` ). The function comb can simply concatenate its inputs (if w = 1), and several other alternatives are explored in Section 2.2.1. B 5. The seed S i` is then used in an interleaved fashion to derive the identities of the after next ` stakeholders, via follow-the-satoshi. That is, if the next

` valid blocks are Bi`+j1 ,Bi`+j2 ,...,Bi`+j` , then the nodes who follow the protocol will derive the identity of the stakeholder who should create the Bi` block Bi`+j`+z by invoking follow-the-satoshi with hash(i`, z, S ) as input, for z 1, 2,... . ∈ { } 6. If the derived satoshi is part of an unspent output of c < C0 coins, the stakeholder must also attach an auxiliary signature that proves that she controls another output of at least C0 c coins, or else she will not be able to create a valid block. Neither the derived− output nor this auxiliary output may be spent in the first T0 blocks that extend the newly created block. In th case the stakeholder Ai who should create the i block signs two different 0 blocks Bi,Bi, any stakeholder Aj among the next T0 derived stakeholders can include it as evidence in the block that she creates, in order to confiscate at least C0 coins that Ai possessed. The stakeholder Aj is awarded with C1 of the confiscated coins, and the rest of the confiscated coins are destroyed. 7. If the network nodes see multiple competing blockchains, they consider the blockchain that consists of the largest number of blocks to be the winning blockchain.

The interleaving in step 5 is crucial as a cementing mechanism. Otherwise, competing last stakeholders may extend the chain with seeds that derive different ` next identities, introducing divergence risk because it is rational for the next identities to extend the different forks. This cementing process ensures that unless ` stakeholders collude by bypassing their turn on the honest chain and creating≈ a hidden fork instead, only a single stakeholder will be eligible to create each next block. Thus the rational forks hazard is avoided. The punishment scheme in step 6 expires after T0 blocks, because honest stakeholder must eventually regain control over their security deposit (see also Section3). Note that a stakeholder can divide her coins among multiple outputs, so that only one of the outputs would become unspendable for T0 blocks. If C1 C0, an attacker might double-sign and publish the double-signing evidence ≈ C0 in a next block to recover her security deposit, so C1 2 is a better choice. If ` is very large (in the extreme ` = , i.e., practically≤ equivalent to selecting the identities of the stakeholders via a round-robin),∞ then an attacker may try to gain possession of future consecutive satoshis to mount a double-spending attack (cf. Section 2.2.3). On the other hand, small ` makes it easier for coalitions to influence the future identities (cf. Section 2.2.1). Moreover, if the range of comb were κ0 < κ, an attacker could more easily see into the future, e.g. with κ0 = 10 the attacker could buy satoshis of consecutive identities in one possible next group and succeed with probability 1/1024 to carry out a double-spending attack. A sensible recommendation for the CoA parameters can be κ = 51 (for 21 million coins of 108 satoshis each), w = 9 with comb as the iterated majority≈ function (see Section 2.2.1), ` = 459, G0 = 5 minutes, and T0 = 5000.

2.2.1 Using low-influence functions to improve chain selection To give an intuitive illustration of the advantages of different choices, we focus on the prominent case of analyzing the probability that the last stakeholder in the chain, A`, can choose herself again as one of the first possible stakeholders 0 0 A1,...,A` of the next round (see Figure1). Denote this probability by µ. We also make the simplifying assumptions that the previous players have indeed picked their bits bi randomly, and that the function hash is a random oracle. Let us assume that A` has a q-fraction of the coins in the system, and denote ` p = 1 (1 q) . Thus, µ = p in case A` picks a random bit. − −

Simple concatenation: We let comb(b , b , . . . , b`) b b b`, where 1 2 , 1 ◦ 2 ◦ · · · ◦ bi is the supposedly random bit that stakeholder Ai provided. The probability 0 µ that A` can choose herself in the next round is the probability that b 0 ∃ ∈ 0, 1 , i 1, . . . , ` such that hash(i + i, comb(b , . . . , b`− , b )) maps to a { } ∈ { } 0 1 1 coin of A` under follow-the-satoshi. Using the simplifying assumption that these are random independent values we have µ = 1 (1 p)2 = 2p p2 2p. − − − ≈ Combining majority with concatenation: Assume now that ` = κ w for positive integer w. We now split the ` stakeholders into groups of size w:· A1,...,Aw,Aw+1,...,A2w,...,A(κ−1)·w+1,...,Aκ·w = A`. Each group will de- termine a bit of the seed using the majority function. That is, the ith bit of the seed, denoted si, will be the majority of the bits b(i−1)·w+1, . . . , biw. And s = comb(b1, . . . , b`) , s1 s2 sκ. Note first that when the bits bi are all chosen randomly, s is random◦ –· · as · ◦ the majority of random inputs is a random bit. Now, we analyze again the probability µ that A` can choose herself in the next round. It can be shown, using Stirling’s approximation, that with probabil- 6 p ity roughly 1 2/πw the last bit of the seed, sκ, will already be determined − 6 More precisely, as w goes to infinity this is the limit of the probability of the event. by the bits of the previous stakeholders. This is because when w players choose a bit randomly, the probability that exactly half of the bits came out one tends w w+1/2 w 2 √ w p to (w/2)/2 πw /2 = 2/πw. In the absence of this event we have µ = p, ≈ “as it should be”. When this event happens, as before A` can get to probability p p 2p. In total we have µ p (1 2/πw) + 2p 2/πw. Taking a large enough ≈w, this is much closer to≈ the· “correct”− p than in· the previous choice of comb.

Protection against larger coalitions: Let us use the terminology that a function comb : 0, 1 ` 0, 1 κ is an ε-extractor if for any choice of the coalition C of size{ c,} and→ any { strategy} of C to choose their input bits after seeing the bits of the honest players, comb(b1, . . . , b`) produces an output that is ε-close to uniform. [9], using the analysis of [2], give the following construction of an ε-extractor – that is in fact the same one we described earlier when replacing the majority function with iterated majority (defined in [2] and illustrated in Figure1).

KZ(b1, . . . , b`):

Choose w = 3 (c/ε)1/α, where α = log 2. Set ` = w κ. • · 3 · Output κ bits via iterated majority of consecutive groups of w inputs. • Upon fixing ε as the desired statistical error, κ as the desired output length, and ` as the total number of players in a chain, KZ can handle a coalition of α size c ε (1/3 `/κ) . On the other hand, [9] show that any such ε-extractor can handle≤ coalitions· · of size at most c ε 10 `/(κ 1). ≤ · · − Since α > 1/2, it follows that this choice of comb is less than quadratically worse than the optimal choice. Notice that this assumes that stakeholders who are not honest are non-oblivious, i.e., that they see the choices of the honest stakeholders before they play. This conservative assumption makes a certain sense in our context, as it easier for stakeholders who play in the last locations to try to collude in order to influence the seed.

Majority Iterated Majority

Pr[last player can influence] = Pr[a = b] Pr[c = d] = 1/2 1/2 = 0.25 6 · 6 ·

a b 1 0

8 8 Pr[last player can influence] = (4)/2 = 0.273

c d 0 1 1 0 1 1 0 0 1 0 1 0 0 1 0 1

Fig. 1. Majority versus Iterated Majority.

1 2.2.2 Rational collusions

Stakeholders may wish to collude and skip the last several blocks as if they did not exist, i.e., to extend the blockchain from an earlier block, in order to gain the fees that went to previous stakeholders. This can be mitigated by including in each transaction the index of the latest block that the user who made this transaction is aware of. For example, if the last block of the chain is Bi and it contains a transaction tx that specifies that block i 1 exists, and a new 0 − transaction tx1 that specifies that block i exists is broadcasted, then the stake- holder who creates Bi+1 cannot reverse Bi to collect the fees of both tx0 and tx1, because Bi must exist in the chain that contains tx1. The user can even specify in her transaction the index of the block that is currently being created, but this implies that the user will need to send another transaction in the case that the current stakeholder is offline. The colluding stakeholders diminish the overall value of their stake when they participate in such attacks, hence this strategy is not necessarily rational. It is also possible to reward stakeholders via monetary inflation and have the transaction fees destroyed to provide a counterbalance, though bribe attacks may then become more likely (see Section 2.2.3).

↓(payment) ↓(merchant sends goods)

To demonstrate· how a successful double-spending attack on the CoA protocol looks like: in this example the colluding stakeholders create an alternative history of 5 blocks, by extending the previous block with a chain that includes a conflicting transaction:

↓(conflicting transaction) × ·

Fig. 2. Illustration of a double-spending attack in the CoA system.

2.2.3 Bribe attacks on CoA

Suppose that the number of blocks that merchants consider to be secure against double-spending attacks is d, i.e., a merchant will send the goods after she sees that the payment transaction that she received in block Bi1 has been extended by

Bi2 ,Bi3 ,...,Bid extra blocks. An attacker can now offer bribes to d + 1 or more stakeholders, for example to the next id + 1, id + 2, . . . , id + d + 1 stakeholders so that they would extend the blockchain starting from the block that preceded Bi1 and exclude that payment transaction. The attacker will need to bribe more than d + 1 stakeholders if some of them refuse the bribe. Since rational stakeholders will not participate in the attack without an incentive, the cost of the attack is at least µ(d + 1) where µ is the average bribe amount that is given to each stakeholder. Observe that Pr[ successful attack ] < 1 since some of the stakeholders might be altruistic, some of{ the rational stakeholders} may think that it would be un- profitable to participate in such attacks, and the attacker’s funds are not unlim- ited. Hence, a rational stakeholder will choose to accept the bribe by weighing whether (µ + F 0) Pr[ successful attack ] > F (1 Pr[ successful attack ]), where F and F 0 are· the{ fee amounts that} this stakeholder· − { will collect on} the honest chain and the attacker’s chain, respectively. Note that F 0 = 0 is likely when the safety mechanisms of Section 2.2.2 are deployed, since it is rational for users to continue to transact on the honest chain as long as the attacker’s chain is inferior. Overall, the attacker may need to spend substantially more than µ(d + 1) coins for the attack to succeed. In Figure2 we illustrate the nature of a double-spending bribe attack. The above stands in stark contrast to Section 2.1.2, as the short-term dom- inant strategy of the PPCoin stakeholders is to participate in the attack, while the CoA stakeholders will forfeit their reward F if the attack fails. In our setting, the premise of a short-term strategy can be regarded to be that the utility per coin is constant, while the premise of a long-term strategy can be regarded to be that the utility per coin may change due to actions taken by the player. Notice that the attacker cannot simply bribe the stakeholders who generated the blocks Bi1 ,Bi2 ,Bi3 ,...,Bid to create an alternative history of length d in a risk-free manner, as their coins will be confiscated if they double-sign. Formally, let us restrict ourselves to a limited strategy space (cf. [10]) in which players have to choose one of only these two actions (**),

1. Follow the protocol honestly by signing a block that extends the longest known chain. 2. Accept bribe and sign the attacker’s block which extends the secretive chain that the attacker builds.

This restriction can be justified under plausible assumptions. In particular, the C0 penalty can be assumed to be high enough to make the action of double- signing unappealing. This requires the presupposition that the double-signing punishment mechanism is effective in the sense that the evidence of double- signing will be recorded on every fork, and hence the utility of a player is the value of attacker’s bribe minus the loss of her C0 security deposit. This also implies that our analysis here only covers forks that are shorter than the T0 deposit duration, in Section3 we discuss attacks that involve longer forks. Our objective is to show that the honest strategy is dominant. In fact, we will show that under further assumptions no attack will be initiated, thus only the honest action will be available to the players. To analyse what merchants can consider to be an appropriate confidence level for security against double-spending in the CoA system, let us make a reasonable assumption regarding the participation rate of stakeholders in the CoA network. Density assumption. Let ρ > 1/2. In the longest blockchain, for every segment of K or more potential blocks, at least ρK of those blocks were created. While this is a simplifying assumption, it is indeed reasonable, as our presup- position for the CoA network is that its security is derived from stakeholders’ participation. Notice that we do not assume that the majority of stakeholders are altruistic (i.e., follow the CoA protocol even if it is against their self-interest). Although an altruistic majority would facilitate a system with better security, a rational majority is far more likely to capture reality. Let B0 be a block in which some particular payment transactions resides. Let δ denote the amount missing blocks in largest segment with participation 1 0 rate /2 prior to B0, and let ρ denote the density of the longest segment that ≤ 0 10 follows B0. In the illustration below, δ = 3 and ρ = /14.

δ=4−1 density: ρ0≥ρ B0 22 22222 z }|2{ 2 22z 222 2}| 2222 { ··· ··· Claim 1. Let ε be the average fee amount that a stakeholder earns for creat- ing a block. Assume that stakeholders are restricted to the strategy space (**). Assume that reversing B0 has a value of V coins to the attacker. If the attacker is rational in the sense that she does not wish to lose coins, then the merchant is safe by waiting until S blocks extend B0 before sending the merchandise, for S that satisfies V < ε(ρ0S δ + 1). Proof. By using the safety− extension that is described in Section 2.2.2, we may consider the blocks in a hostile competing fork to be void of transactions, and therefore it is rational of each colluding stakeholder who could otherwise earn ε coins to demand a bribe of more than this amount. There exist (1 ρ0)S + δ stakeholders who can contribute to the attack and have already forfeited− their turn to create a block, thus the merchant may assume that in the worst case they will collude with the attacker for free. As the other S + 1 stakeholders need to be bribed with ε coins each, V < ε(S (1 ρ0)S δ + 1) = ε(ρ0S δ + 1) implies that the attack is unprofitable. − − − − 2 The above argument gives only a crude bound, since it does not capture all the relevant aspects w.r.t. the attack. In particular, the coins that the attacker recovers (in the case of a successful attack) may have less purchasing power, be- cause the cryptocurrency system becomes less valuable whenever double-spending attacks take place. Claim 2. If the density assumption holds in addition to the assumptions of Claim 1, then the merchant can be confident that it is irrational to carry out a double-spending attack after B0 has been extended by S blocks, for S that satisfies V < ε(ρS K + 1). Proof. According− to the density assumption, it holds that K > δ, and since the merchant waited until more than K blocks extend B0 it also holds that ρ0 ρ. Therefore, (1 ρ)S + K (1 ρ0)S + δ, and the result follows from Claim≥ 1. − ≥ − 2 To get a better sense of things, let us substitute concrete numbers for the above parameters. Suppose for example that ρ = 7/10, K = 20, ε = 10 coins, and V = 100 coins. Hence 10 (7/10 S 19) > 100 implies that S = 42 blocks are sufficient. This means that· the merchant· − will need to wait 42 5 minutes or 3.5 hours before sending the merchandise, in case CoA is parameterized≤ · according to G0 = 5 minutes.

2.2.4 Majority takeover

Consider some stakeholders A1,A2,...,Am who control all of the first ` locations in the current round. Suppose that these m stakeholders possess p-fraction of the total stake, and they wish to collude and control all the locations in all of the next rounds, thereby creating a winning chain that consists of only their blocks. While this strategy may be irrational as it diminishes the value of their stake, perhaps the m stakeholders prefer a competing system and wish to destroy CoA. Due to interleaving (cf. Section 2.2), the starting condition for this attack is more difficult to achieve, as these m stakeholders need to control 2` locations. Suppose that q-fraction of the honest stake is offline, hence the m stakeholders can give on average a head start of ( 1 1)` blocks to a competing group (1−p)(1−q) − in each round. Denoteq ˆ ( 1 1). Let Y be the random variable that , (1−p)(1−q) − counts how many of the first (2+ˆq)` locations of the next round will be controlled by the m stakeholders, so E[Y ] = (2 +q ˆ)`p. Using tail inequality, it holds that

1 1 1 Pr(Y > `) = Pr(Y > E[Y ]) exp ( 1)2 (2 +q ˆ)`p . (2 +q ˆ)p ≤ {− (2 +q ˆ)p − · 3}

Thus, the amount of hash invocations that these m stakeholders need to compute tends toward infeasibility when p is smaller or when ` is larger. For example, with ` = 459, p = 1/10, q = 1/5, the m stakeholders will need more than e371 2535 hash attempts on average. ≈ Compared with Bitcoin, in a Proof of Stake based system such as CoA it is less reasonable to assume that a large combined stake is an hostile external attacker (see [3, Section 2.1]), hence p is likely to be small.

2.3 The Dense-CoA pure Proof of Stake variant

The Dense-CoA pure proof of stake protocol is an alternative variant of CoA in which the identities of stakeholders who should create the next blocks are not known far in advance, with the objective of making collusions and bribe attacks more difficult. Another plus point of Dense-CoA is that it makes it more difficult for rational stakeholders to obtain disproportional rewards. The disadvantages of the Dense-CoA protocol are susceptibility to DoS attacks by large stakeholders, and greater communication and space complexities. In Dense-CoA, each block is created by a group of ` stakeholders, rather than by a single stakeholder:    ###  ` ### . . . ···  ###. . .   ### The blockchain: 2⇓ 2⇓ 2⇓ ··· Let h : 0, 1 n 0, 1 n be a one-way permutation. Let us assume for a { } → { } Bi−1 moment that the block Bi−1 is associated with a seed S that was formed by the ` stakeholders who created Bi−1. Now, the identity of the stakeholder A` who determines which transactions to include in a block Bi is derived by invoking follow-the-satoshi with hash(i, `, SBi−1 ) as input, and the identities of the rest of the stakeholders A1,A2,...,A`−1 who must participate in the Bi− creation of Bi are derived by invoking follow-the-satoshi with hash(i, j, S 1 ) for j 1, 2, . . . , ` 1 . These ` stakeholders engage in a two-round protocol to ∈ { − } create the current block Bi:

In round 1, for every j 1, 2, . . . , ` , the stakeholder Aj picks a random • n ∈ { } secret Rj 0, 1 , and broadcasts h(Rj) to the network. ∈ { } In round 2, for every j 1, 2, . . . , ` 1 , the stakeholder Aj signs the • ∈ { − } message M h(R ) h(R ) h(R`), and broadcasts her signature , 1 ◦ 2 ◦ · · · ◦ signskj (M) and her preimage Rj to the network. We require Dense-CoA to use a signature scheme with multisignature [4,8, ` 11, 13] support, therefore A` can aggregate the signatures signskj (M) j=1 into a single signature ˆs(M). Note that the size of ˆs(M) depends{ only on the} security parameter of the signature scheme (and not on `), and the verification time is faster than verifying ` ordinary (ECDSA) signatures. Hence, the stakeholder A` signs and broadcasts a block Bi that consists of the (Merkle root of the) transactions that she wishes to include, the hash of the previous block Bi−1, the current timestamp, the index i, the ` preimages R1,R2,...,R`, and ˆs(M). To verify that the block Bi is valid, the network nodes invoke h to compute the images h(R1), h(R2), . . . , h(R`), then concatenate these images to form M, and then check that ˆs(M) is a valid signature of M with respect to the public keys pk1, pk2, . . . , pk` that control the winning satoshis of the stakeholders A1,A2,...,A`. Bi Bi The seed S is defined as hash(R1 R2 R`). Notice that S is computationally indistinguishable from random◦ ◦ even · · · ◦if only a single stakeholder Aj picked a random Rj, under the assumption that n is sufficiently large so that the OWP h is resistant to preimage attacks. If some of the ` stakeholders are offline or otherwise withhold their signatures, then after G0 time the nodes who follow the protocol will set t = 1 and derive alternative ` identities from the previous block Bi−1, by invoking follow-the- satoshi with inputs hash(i, t` + j, SBi−1 ) for j 1, 2, . . . , ` . The starting index ∈ { } t` + j should be specified in the new block Bi so that the verification of blocks will be simpler, and the gap between the timestamps of Bi−1 and Bi must be at least tG0. As with CoA, the honest nodes consider the blockchain with the largest amount of valid blocks to be the winning blockchain, and disregard blocks with a timestamp that is too far into the future relative to their local clock. The parameters C0,C1,T0 of the CoA protocol (cf. Section 2.2) are utilized by the Dense-CoA protocol in exactly the same way. The parameter ` should be big enough in order to resist large stakeholders from controlling consecutive seeds SBi ,SBi+1 ,... and re-deriving themselves. For example, to force a stakeholder{ who holds 5%} or 10% of the total stake into making 2100 hash invocations on average until re-deriving herself as all of the ` identities≈ of the next block, we need ` = 23 or ` = 30, respectively. However, if we set G0 = 5 minutes and ` = 23, a malicious stakeholder with e.g. 10% of the 23 total stake will have 1 (90/100) 91% probability to be one of the derived − ≈ stakeholders A1,A2,...,A` and then refuse to participate in creating the next block, hence it will take 5 (1 91%)−1 56 minutes on average to create each next valid block while this· attack− is taking≈ place (actually less than 56 minutes because chains that extend blocks prior to the last block can also become the longest valid chain). Overall, the main difference between the Dense-CoA and CoA protocols is that Dense-CoA offers improved security over CoA in terms of double-spending attacks, but weaker security against DoS attacks by large stakeholders who wish to harm the cryptocurrency. Also, Dense-CoA prevents a rational stakeholder from influencing the seed in an attempt to earn more rewards than her fair share, unless she colludes with all the other ` 1 stakeholders who create the next block. The Dense-CoA protocol is less efficient− than CoA due to the preimages R1,R2,...,R` that need to be stored in each valid block, and the two-round protocol that requires a greater amount of network communication to create each successive block.

3 Solidification of the ledger history

Any decentralized cryptocurrency system in which extending the ledger history requires no effort entails the danger of costless simulation [14], meaning that an alternative history that starts from an earlier point of the ledger can be prepared without depleting physical resources and hence without a cost. This is a problem because a rational adversary who has little or no stake in the system may try to attack by replacing an arbitrarily long suffix of the current ledger history with an alternative continuation that benefits her. Further, a malicious adversary who does not operate out of self-interest is also more likely to attempt this kind of an attack, as she would not incur a monetary loss for executing the attack. In the case of pure Proof of Stake systems, this danger can manifest itself in the following form. Consider participants who held coins in the system a long time ago and have since traded those coins in exchange for other goods, so they are no longer stakeholders of this system. These participants can now collude to extend the ledger from the point at which they had control over the system, and it may indeed be rational for them to mount this attack because it is costless and would have no detrimental outcome from their standpoint, as they have no stake in the current system. More specifically, let us examine how this attack looks like in the CoA or Dense-CoA systems. Even a single stakeholder with few coins can fork the blockchain and create an alternative branch with large enough time gaps as she re-derives herself to create subsequent blocks, but according to the timestamp rules for valid blocks, the other participants will reject this alternative branch (even though it contains more blocks) because the timestamps will be too far ahead in the future relative to their local time. Therefore, if the average partici- pation level among current stakeholders is p%, and the stakeholders who collude to carry out this attack have had control at the earlier history over q% of the coins, then q > p implies that the attack will succeed. Because p% = 1 is highly unlikely, and collusion among participants who held q% > p% stake at an earlier point is costless and rational, this attack vector appears to be quite dangerous. To mitigate this attack, we propose periodic checkpointing as a rigid protocol rule that extends the CoA and Dense-CoA protocols, as follows: Denote by T = 2T the double-spending safety bound of Section 2.2. • 0 1 The blocks at gaps of T1 are designated as checkpoint blocks: the genesis • block is a checkpoint block, and any block that extends a checkpoint block by exactly T1 additional blocks is a candidate checkpoint block. When a node that follows the protocol receives for the first time a candidate • checkpoint block Bj that extends the candidate checkpoint block Bi such that j = i + T1 (or j > i + T1 if stakeholders were inactive), she solidifies Bi meaning that she disallows any changes to the history from the genesis block until Bi, though Bj can still be discarded as a result of a competing fork.

Since the double-spending safety bound is T0, a stakeholder who creates a block can spend the coins only after an intermediate checkpoint block is already solidified, so the costless simulation threat is mitigated (if C0 is substantial). This can be seen in the following illustration:

Ai signs Bi solidified checkpoint Ai can spend c ↓ ↓c ↓c

T1 T1 However, this checkpointing mechanism presents two significant problems: 1. New nodes who enter the decentralized network for the first time cannot tell whether the checkpoint blocks that they receive are trustworthy. 2. Due to propagation lag, adversarial stakeholders can collude by preparing an alternative branch of length T1 + 1, and broadcast the competing forks at the same time, thus creating an irreversible split among the network nodes. The first problem needs to be handled by utilizing a “Web of Trust” type of mechanism that is external to the cryptocurrency system. This means that participants who are unaware of the current state of the system should rely on reputable sources to fetch the blockchain data up to the latest checkpoint. The second problem should also be resolved manually, meaning that partici- pants who become aware of a network split can decide to instruct their node to switch to the other faction, e.g. if they see that they are in the minority. Note, however, that the second problem becomes increasingly unlikely for larger T1 values. The exemplary parameters that we proposed in section 2.2 imply that a fork of T1 + 1 blocks represents more than one week of ledger history. 4 Conclusion It is challenging to design sustainable decentralized cryptocurrency protocols that do not rely on depletion of physical scarce resources for their security maintenance. Our analysis argues that the security of existing such protocols is lacking. We offer novel constructions of pure Proof of Stake protocols that avoid depletion of physical scarce resources, and argue that our protocols offer better security than existing protocols. Future work could extend the scope of our analysis to broader strategy spaces. References 1. Bahack, L. and Courtois, N. 2014. http://arxiv.org/abs/1402.1718. 2. Ben-Or, M. and Linial N. 1990. Collective coin flipping. In Silvio Micali, editor, randomness and computation, pages 91–115. Academic Press, New York. 3. Bentov, I., Lee, C., Mizrahi, A., and Rosenfeld, M. 2014. Proof of Activity. In ACM SIGMETRICS Workshop - NetEcon. http://eprint.iacr.org/2014/452. 4. Boldyreva, A. 2003. Efficient threshold signature, multisignature and blind signa- ture schemes based on the gap-Diffie-Hellman-group signature scheme. In PKC2003. 5. Eyal, I. 2015. The miner’s dilemma. In 36th IEEE S&P. 6. Eyal, I. and Sirer, E. 2014. Majority is not enough. In Financial Cryptography. 7. Garay, J., Kiayias, A., and Leonardos, N. 2014. The Bitcoin Backbone Proto- col: Analysis and Applications. In Eurocrypt 2015. 8. Itakura K. and Nakamura K. 1983. A public key cryptosystem suitable for digital multisignatures. NEC Research & Development, 71:1-8. 9. Kamp J. and Zuckerman D. 2007. Deterministic Extractors for Bit-Fixing Sources and Exposure-Resilient Cryptography. In SICOMP, volume 36. 10. Kroll, J., Davey, I., and Felten, E. 2013. The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries. In 12th WEIS. 11. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., and Waters, B. 2006. Se- quential aggregate signatures. In J. Cryptology 26(2): 340-373 (2013). 12. Nakamoto, S. 2008. Bitcoin: A peer-to-peer electronic cash system. Bitcoin.org. 13. Micali, S., Ohta K., and Reyzin, L. 2001. Accountable-subgroup multisignatures (extended abstract). In Proceedings of CCS 2001, pages 24554. ACM Press. 14. Poelstra, A. 2014. https://download.wpsoftware.net/bitcoin/pos.pdf. 15. Rosenfeld, M. 2012. http://arxiv.org/abs/1402.2009. 16. User “cunicula”. 2012. https://bitcointalk.org/index.php?topic=122291. 17. User “QuantumM...”. 2011. https://bitcointalk.org/index.php?topic=27787.